UNABLE TO SIGN IN TO GRANT ADMIN CONSENT FOR P2S VPN

Question

Hi,
I visit the below URL to give admin consent so that my Point to site users can be authenticated using azure active directory -- https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

but unfortunately I am getting the following error --

Request Id: 5617774a-a381-44ca-b1be-a9e1429b4f00
Correlation Id: 2a1c2bf8-e159-4890-a470-450a27a695a5
Timestamp: 2022-03-08T09:26:44Z
Message: AADSTS50020: User account 'ananayojha@Stuff .com' from identity provider 'live.com' does not exist in tenant 'Microsoft' and cannot access the application '41b23e61-6c1e-4545-b367-cd054e0ed4b4'(Azure VPN) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Please help me resolve this.

Answer 1

Hello @Ojha18a-0713 ,

I understand that you are trying to setup Azure point to site VPN with Azure Active Directory authentication and were trying to give admin consent to your Point to site users to be authenticated using Azure AD by visiting following URL : https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent , but receiving the "AADSTS50020" error.

As per our official doc, you need to sign in to the Azure portal as a user that is assigned the Global administrator role. If you are using a global admin account that is not native to the Azure AD tenant to provide consent, please replace “common” with the Azure AD directory id in the URL (https://login.microsoftonline.com/**common**/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent). You may also have to replace “common” with your directory id in certain other cases as well.

The Directory ID of the directory that you want to use for authentication is listed in the properties section of the Active Directory page.
Please refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant#enable-authentication

NOTE :

• Native member to Azure AD tenant is a member user or Azure AD member whose account is created via Azure AD > Users > Create user option in the tenant.
• A user not native to the Azure AD tenant means a user who is brought over from another directory as a business-to-business (B2B) collaboration guest (guest user).

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hello
I am having same issue, unable to add app registration to AAD tenant
I am sure I am using Global Administrator account.
Also I have tried to replace /common/ part with tenant ID

here is error I am receiving:

AADSTS650054:+The+application+'api://41b23e61-6c1e-4545-b367-cd054e0ed4b4/api'+asked+for+permissions+to+access+a+resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor.
Trace+ID:+9d84907a-9531-4352-826a-dcf72f94bf00
Correlation+ID:+7b360593-4c8a-4a44-af8b-842ed42149ed
Timestamp:+2022-12-21+09:15:15Z